Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
David Ross <dross@microsoft.com> Thu, 12 July 2012 00:21 UTC
Return-Path: <dross@microsoft.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9933911E8176 for <websec@ietfa.amsl.com>; Wed, 11 Jul 2012 17:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMA5+T68AeYo for <websec@ietfa.amsl.com>; Wed, 11 Jul 2012 17:21:47 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id D10C611E816F for <websec@ietf.org>; Wed, 11 Jul 2012 17:21:46 -0700 (PDT)
Received: from mail46-ch1-R.bigfish.com (10.43.68.240) by CH1EHSOBE014.bigfish.com (10.43.70.64) with Microsoft SMTP Server id 14.1.225.23; Thu, 12 Jul 2012 00:19:54 +0000
Received: from mail46-ch1 (localhost [127.0.0.1]) by mail46-ch1-R.bigfish.com (Postfix) with ESMTP id CEB82160204; Thu, 12 Jul 2012 00:19:54 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -28
X-BigFish: VS-28(zz9371I542M1418I1447Izz1202hzz1033IL8275bh8275dhz2fh2a8h668h839h944hd25hf0ah107ah)
Received-SPF: pass (mail46-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=dross@microsoft.com; helo=TK5EX14MLTC101.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail46-ch1 (localhost.localdomain [127.0.0.1]) by mail46-ch1 (MessageSwitch) id 1342052392646677_25351; Thu, 12 Jul 2012 00:19:52 +0000 (UTC)
Received: from CH1EHSMHS010.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.240]) by mail46-ch1.bigfish.com (Postfix) with ESMTP id 922303A0047; Thu, 12 Jul 2012 00:19:52 +0000 (UTC)
Received: from TK5EX14MLTC101.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS010.bigfish.com (10.43.70.10) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 12 Jul 2012 00:19:52 +0000
Received: from TK5EX14MBXC216.redmond.corp.microsoft.com ([169.254.6.48]) by TK5EX14MLTC101.redmond.corp.microsoft.com ([157.54.79.178]) with mapi id 14.02.0298.005; Thu, 12 Jul 2012 00:22:13 +0000
From: David Ross <dross@microsoft.com>
To: "Hill, Brad" <bhill@paypal-inc.com>, Tobias Gondrom <tobias.gondrom@gondrom.org>, "websec@ietf.org" <websec@ietf.org>
Thread-Topic: [websec] Coordinating Frame-Options and CSP UI Safety directives
Thread-Index: Ac1eARMykz8Gk35PQYOw0F4CVEc1fgAKMP0AAAFdb4AAZMpUwA==
Date: Thu, 12 Jul 2012 00:22:12 +0000
Message-ID: <68291699F5EA8848B0EAC2E78480571F053A3186@TK5EX14MBXC216.redmond.corp.microsoft.com>
References: <370C9BEB4DD6154FA963E2F79ADC6F2E1799AD@DEN-EXDDA-S12.corp.ebay.com> <4FFB67EE.406@gondrom.org> <370C9BEB4DD6154FA963E2F79ADC6F2E17AE18@DEN-EXDDA-S12.corp.ebay.com>
In-Reply-To: <370C9BEB4DD6154FA963E2F79ADC6F2E17AE18@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.23]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 00:21:47 -0000
Responding to a few of the points in Brad's original mail on this thread... My concern is mostly around the degree to which a move to CSP might complicate or stall the process. I'd also prefer not to see additional use cases pop up (eg: click fraud prevention) that just were never in scope before. I think that w.r.t. header bloat, the most sensible approach is to only allow one origin to be specified. CSP by-design facilitates the use of multiple origins. As we've discussed w/Frame-Options, there is a design pattern to make the more basic single-origin approach functional. I would hate to see hosts serving up source lists of hundreds of origins, just because they can. I think that is exactly what will happen if we support multiple origins. With regard to obsolescence of X-FRAME-OPTIONS, it's easy to specify exactly what happens in the FRAME-OPTIONS spec. I don't see that CSP inherently improves on that but I may be missing something there. The advantage I see of bringing FRAME-OPTIONS into CSP is that it makes CSP more comprehensive. But I suspect there are plenty of other header-related security features that aren't defined by CSP (eg: the origin header, cookie security). Finally, as Brad pointed out in the rosetta stone thread, Frame-Options provides the flexibility to perform only a top level origin check as opposed to a full ancestor check. (Specified via the "AllAncestors" flag.) David Ross dross@microsoft.com -----Original Message----- From: websec-bounces@ietf.org [mailto:websec-bounces@ietf.org] On Behalf Of Hill, Brad Sent: Monday, July 09, 2012 5:03 PM To: Tobias Gondrom; websec@ietf.org Cc: public-webappsec@w3.org Subject: Re: [websec] Coordinating Frame-Options and CSP UI Safety directives Tobias, I'm happy to move the discussion primarily to websec, and I'll drop the cc: to webappsec after this email. Thanks for the historical clarification, as well. I'm not terribly concerned about which group does the work, as much as arriving at the engineering solution that works best for user agent and resource authors, some of whom have expressed preference for moving this functionality into CSP. As both a chair and an individual, I don't have a strong preference, but I think there are reasons in favor of each option and it is worth re-opening the discussion now that the WebAppSec WG has a concrete deliverable under development to address the same general class of attacks. I'll send out a summary shortly of the similarities and differences between the various options currently proposed for some additional context. -Brad Hill _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
- [websec] Coordinating Frame-Options and CSP UI Sa… Hill, Brad
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Hill, Brad
- Re: [websec] Coordinating Frame-Options and CSP U… =JeffH
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… Hill, Brad
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… Thomas Roessler
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth
- Re: [websec] Coordinating Frame-Options and CSP U… Tobias Gondrom
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth
- Re: [websec] Coordinating Frame-Options and CSP U… David Ross
- Re: [websec] Coordinating Frame-Options and CSP U… Adam Barth